An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework. The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST to establish a framework to manage cybersecurity risk. The proposed privacy provisions generated widespread controversy, however, because “the methodology did not reflect consensus private sector practices and therefore might limit use of the Framework.” As a result, NIST determined that the appendix “did not generate sufficient support through the comments to be included in the final Framework.”

In place of a separate privacy appendix, NIST stated that it would incorporate an alternative methodology proposed on behalf of several industry sectors. This substitute approach eliminates references to specific privacy standards, such as Fair Information Practice Principles (FIPPs), given the current lack of consensus regarding such standards. Instead, the Framework will provide “more narrowed and focused” guidance in the “How To Use” section that requires companies to consider privacy implications and address them as appropriate. The high-level measures now include ensuring proper privacy training, reviewing any monitoring activities, and evaluating any privacy concerns that arise when information (such as threat data) is shared outside the company. According to NIST, this approach will “allow organizations to better incorporate general privacy principles when implementing a cybersecurity program.”

Although eliminating the privacy appendix in favor of more general guidance was the only definitive change that NIST announced, the update also noted several other common issues raised in public comments. These topics – which include reaching consensus on what “adoption” of the Framework entails and the use of “Framework Implementation Tiers” to assess the strength of a company’s cybersecurity program – will remain key areas of debate once the Cybersecurity Framework is released on February 13, 2014.

Although the Framework is slated for release in just a few weeks (and will be available here), NIST made clear that it is intended to be a “living document” that will need to be “update[d] and refine[d] . . . based on lessons learned through use as well as integration of new standards, guidelines, and practices that become available.” NIST also explained that it intends to continue serving as the “convener” for such changes until the document can be transitioned to a non-government organization, but will issue a roadmap with more details soon.

A California appellate court recently dismissed a putative class action alleging that UCLA violated the California Confidentiality of Medical Information Act (CMIA) when an employee lost an encrypted hard drive containing 16,000 patient records. The court concluded that the plaintiff’s claim—which sought a whopping $16 million based on $1,000 in nominal damages for each record—failed to allege that any “release” to a third party actually occurred. Although the decision ostensibly applies only to the CMIA, it has potential broader implications for entities defending class actions seeking damages for data breaches.

Background

In November 2011, UCLA notified approximately 16,000 patients that an encrypted hard drive containing personally identifiable medical information had been stolen from a physician’s home two months earlier. The burglars also stole an index card stored near the hard drive that contained the encryption key. On October 30, 2012, the plaintiff filed a putative class action alleging that UCLA “failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises and as a result it negligently lost possession of the hard drive and encryption passwords.” Although the plaintiff did not claim actual damages, she sought $1,000 in nominal damages for each of the 16,000 class members.

UCLA moved to dismiss the complaint, alleging that the hard drive theft did not constitute a “release” of information, which UCLA claimed was a prerequisite to recover nominal damages under the CMIA. Although the lower court agreed that the hard drive theft did not amount to a “release” of information (and struck that part of the complaint), the court also held that the CMIA provided remedies for negligent “maintenance, preservation, and storage of confidential data” (and thus permitted a claim to proceed on that basis).

The Appellate Opinion

The appellate court reversed, holding that the CMIA’s “remedies” section (Section 56.36(b)) permits the recovery of nominal damages only for the negligent “release” of confidential information. The court acknowledged that the CMIA also requires medical information to be maintained and stored confidentially (in Section 56.101), and that entities that fail to do so “shall be subject to the remedies” set forth in Section 56.36(b). The court held, however, that a “release” of information was still a prerequisite to recover nominal damages under Section 56.36(b) because the term “remedy” refers to the cause of action (i.e., for the “release” of information), not just the type of recovery (i.e., the nominal damages). In other words, the negligent failure to maintain and store information confidentially permits recovery of nominal damages only if that failure results in a “release” of the information.

In holding that nominal damages are available only for the “release” of information, the court distinguished between the statutory availability of nominal damages for the “release” of information (in Section 56.36(b)) and the separate provision permitting compensatory and punitive damages for the “disclosure” of information (in Section 56.35). To determine whether a “release” had occurred that would permit a nominal damages claim, the court therefore examined the difference between a “disclosure” and a “release.” Whereas a “disclosure” requires an affirmative act of communication, the word “release” is much broader, encompassing situations where information is “allowed to move away or spread from a source” or allowed “to escape confinement” such that it was accessed by a third party. Thus, although a “disclosure” may also fall into the broader category of a “release,” the converse is not necessarily true because a release may not involve an affirmative communication. The court concluded that the plain meaning of “release” encompassed a situation where a physician negligently maintains confidential information and thereby allows it to be accessed by a third party.

Turning back to the plaintiff’s complaint, the court noted that the plaintiff claimed only that UCLA had negligently “lost possession” of the hard drive. Even under a broad definition of the word “release,” the court held that merely losing possession of information was not a violation of the CMIA that permitted recovery of nominal damages. Absent an allegation that a third party actually accessed the information, thereby breaching the confidentiality of the information, the plaintiff could not establish any “release” in violation of the CMIA.

Take-Away Points

UCLA is hardly the first HIPAA-covered entity that has encountered the loss of a laptop or other storage device containing patient information – and it certainly will not be the last. So what helpful information can be gleaned from this opinion?

First, and most directly, this opinion suggests that the CMIA does not permit the recovery of nominal damages where information is lost, but there is no evidence that it was actually “released” – i.e., viewed by a third party. If this opinion stands, plaintiffs will not be able to morph a simple “negligent maintenance of records” claim into a claim for nominal damages under the CMIA short of an actual “release” of information.

Second, although the decision did not discuss the legal significance of encryption, the case highlights the trend toward encrypting data. Here, the theft of the encryption key along with the device undermined the security that encryption normally provides, but it is questionable whether notification would have occurred or the class action ever brought if an encrypted device, but not the key, had been stolen.

Finally, the opinion may provide persuasive authority for entities defending class actions in cases where a device is lost, but there is no evidence of misuse or access. Here, the court held that a “breach” (of confidentiality under the CMIA) only occurs when information is actually viewed. Although this holding should not be construed as a modification to breach notification standards under different state breach notification laws (which typically focus on unauthorized “access” to and/or “acquisition” of personal information) or the Health Insurance Portability and Accountability Act (HIPAA) (which focuses on unauthorized “acquisition, access, use or disclosure” of protected health information that compromises that information), the decision may still provide ammunition for entities defending private class actions. It remains to be seen how this will play out given the different definitions of “breach” in these various laws and the different causes of action that plaintiffs have brought, but this decision certainly provides entities with food for thought in lost device situations.